If you use Putty to connect to your AIX or Linux systems you can create an OpenSSH key-pair using the PuttyGen application and then copy the key to your AIX host, which then enables you to login with requiring a password, however the disadvantages to this approach are:
- There is no way to prevent a user from having a key without any pass-phrase, or to control the quality, content, or age, etc. Therefore if somebody has access to their PC they can login without a password, and/or steal the key.
- If you are at home, or in another remote location where you don't have access to your private-key file, and you have turned-off password authentication, you are stuck. This also applies if you lose the key file.
One possible solution is to restrict root or your normal account(s) to SSH key-only authentication, and then set-up a restricted rescue-account that has as little functionality and privilege as possible except that it enables you to su/sudo.
Many hackers routinely scan port 22 for SSH services and then try to guess the root password so one possibility is to setup a dedicated service on port 443 as most firewalls allow HTTPS/SSL traffic, and hackers would not normally notice SSH on this port.
No comments:
Post a Comment